Introduction:

The Saudi Data and Artificial Intelligence Authority (“SDAIA”) has recently released a draft for the implementing regulation of the Personal Data Protection Law (“Implementing Regulation” or “IR”) and the Regulation in relation to Personal Data Transfer outside the Geographical Boundaries of the Kingdom (“Data Transfer Regulation” or “DTR” together with the Implementing Regulation referred to as the “Draft Regulations”). The Draft Regulations will stay up for public consultation until 31/07/2023G and the final versions are expected to be issued formally before the entry into force of the of the Personal Data Protection Law (the “PDPL”) on 14 September 2023G.

In view of the very recent release of the PDPL’s amendments on 05/09/1444H (Corresponding to 27/03/2023G) by Royal Decree Number: M/148, businesses that handle personal data have been eagerly anticipating the Draft Regulations. It is critical to comprehend the provisions specified in these regulations as they will significantly impact the management, processing, collection, transfer, and disclosure of personal data both within the Kingdom of Saudi Arabia (“KSA” or “Saudi Arabia”) and on a cross boarder bases. It is also worth mentioning that these Draft Regulations are subject to potential amendments before their finalization but nevertheless, may indicate the principal guidelines for the final adopted versions.

The following are summary points to better understanding the Draft Regulations:

The Implementing Regulation (“IR”)[1]:

1. Legal Basis of Processing and Disclosing Personal Data:The IR establishes the legal basis for processing or disclosing personal data in accordance with the PDPL.  Also, the processing or disclosure of personal data is permissible under several conditions. Firstly, explicit permission from the individual whose data is being used is necessary. In addition, it’s allowed if it serves to protect the data subject’s vital interests or is mandated by an alternate law. Furthermore, if the data controller is a public organization, data handling is permissible if it’s needed for security measures, to satisfy judicial requirements, or to serve the public interest. Also worth noting is that the PDPL permits the processing or disclosure if it is in the interest of public health or safety, for the protection of certain individuals, or if the data is openly accessible or sourced from a public platform. The pursuit of the data controller’s or the data subject’s legitimate interests, the execution of an agreement involving the data subject, or if the processing is mandated by another legislation are demonstrations of other permissible circumstances.
2. Responsibilities and Obligations of the Controller:Controllers are obligated to ensure that data subjects are able to exercise their rights under the PDPL. The IR outlines the controller’s responsibilities and obligations to protect data subjects’ rights and implement policies which enable the data subject to exercise said rights.
3. Right to Information:Controllers must notify data subjects about relevant information specified in the IR to ensure the data subject understand their rights and the Controllers obligations.
4. Data Subject’s Rights:The IR specifies conditions and obligations concerning the data subject’s right to access their personal data, request a readable copy of their data, request data correction, and request the destruction of personal data.
5. Consent and Withdrawal:The IR details the basis and requirements for obtaining and withdrawing the consent of the data subject.
6. Handling of Personal Data by Legal Guardians:Guidelines and responsibilities for legal guardians handling personal data of data subjects are specifically outlined.
7. Processing of Personal Data for Legitimate Interest:Conditions and assessments for processing personal data based on legitimate interests are provided.
8. Selection and Agreement with Data Processors:Controllers have responsibilities when selecting data processors and establishing agreements with them to pass along their obligations to the data subjects down the line.
9. Processing Personal Data for Secondary Use:Conditions for processing personal data for secondary purposes are defined.
10. Data Minimization:The Controllers shall only collect the minimum amount of personal data required to achieve the processing purpose. This involves collecting data which is only directly related to the processing goal and may be determined using data maps or other tools. In addition, while achieving the processing goal, the Controller must maintain reasonable precautions to prevent the collection of unnecessary personal data. Written procedures are also required for identifying which personal data will be used for certain purposes. Finally, the Controller shall only retain the absolute minimal amount of personal data necessary for processing.
11. Disclosure of Personal Data:Cases of personal data disclosure and associated obligations of controllers are outlined.
12. Data Correction Obligations:Controllers have specific obligations when correcting personal data.
13. Organizational, Administrative, and Technical Measures:Controllers must implement measures to ensure data subject privacy and personal data security.
14. Notification of Data Breaches:Controllers are obliged to notify the competent authority in case of any data breach within a delay not exceeding (72) hours of becoming aware of the incident if such incident potentially causes harm to the personal data or to the data subject or conflict with their rights or interest.
15. Impact Assessment:Controllers must prepare a written assessment of potential impacts and risks to data subjects, as well as the provisions for conducting such an assessment.
16. Additional Measures for Health and Credit Data:Additional security measures and obligations for processing health and credit data are specified.
17. Processing Data for Advertising or Awareness Purposes:Conditions for processing personal data for advertising or awareness purposes are defined.
18. Direct Marketing Obligations:Controllers must fulfill specific obligations when processing personal data for direct marketing purposes.
19. Data Collection for Scientific, Research, or Statistical Purposes:Obligations and requirements for the collection and processing of data for scientific, research, or statistical purposes are outlined.
20. Data Transfer or Disclosure Outside KSA:Reference is made to the laws and regulations governing data transfer or disclosure to entities outside KSA.
21. Appointment of Data Protection Officers:Cases in which controllers are obliged to appoint data protection officers who can be individuals serving as officials, employees, or external contractors.
22. Record-Keeping Requirements:Controllers must maintain a written record of personal data processing activities during their period of activity, as well as for three years after their activity ends. This applies to controllers who process personal data on a large scale or regularly for individuals lacking legal capacity, or for activities that require continuous monitoring or use new technologies, or for making decisions based on automated processing. Otherwise, controllers are obliged to maintain the records of personal data processing activities for one year after their activity ends.
23. Registration in the National Register of Controllers:The competent authority is responsible for issuing rules for registration in the national register of controllers.
24. Licensing of Accreditation Certificate Issuers:Rules for licensing entities that issue accreditation certificates for controllers and processors are under the responsibility of the competent authority.
25. Data Subject Complaints:Details regarding the submission of data subject complaints to competent authorities are provided.

The Data Transfer Regulation (“DTR”)[2]:

1. General Provisions:Controllers must comply with relevant laws and regulations when transferring or disclosing personal data outside KSA unless they contradict local Saudi laws and regulations. The DTR also outlines that the transfer or disclosure does not impact national security or vital interests of the KSA or violate any other law in the KSA. Controllers must also limit the transfer or disclosure of personal data to a party outside the KSA to the minimum necessary amount to achieve the purpose of the transfer or disclosure. In addition, the Controller must ensure the transfer or disclosure does not negatively impact the privacy of data subjects or the level of protection for personal data guaranteed by PDPL, by ensuring the transfer will not compromise the data subject’s ability to exercise their rights, withdraw consent, file complaints, or the Controller’s ability to notify breaches, disclose data properly, destroy data, or take security measures. The DTR also applies to metadata, operational, backup, monitoring, support, and derived data that identifies data subjects, but does not apply to transfers of data that does not identify data subjects.
2. Transfer Based on Adequate Level of Protection:Competent authorities evaluate the level of protection for personal data in the receiving jurisdiction, considering factors such as existing laws guaranteeing personal data protection, the ability of data subjects to exercise their rights, and the presence of a supervisory authority responsible for monitoring compliance.
3. Assessment and Decision-Making: The competent authority coordinates with other authorities to assess the level of personal data protection outside KSA. The results are submitted to the prime minister, who can issue an adequacy decision based on the evaluation.
4. Exemptions:Exemption cases are defined when an appropriate level of personal data protection is absent, but certain guarantees are present or in specific circumstances outlined by the Implementing Regulation.
5. Safeguards for Data Transfer:Controllers must ensure that the transfer or disclosure of personal data outside KSA does not compromise privacy and must adhere to specified guarantees, such as approved binding codes of conduct and the role of data protection officers.
6. Cases Where Safeguards Are Not Applicable:Exceptions to the safeguards for transferring personal data outside KSA are specified in which these exceptions are related to the importance of the need for data transfer or disclosure.
7. Final Provisions:Controllers are responsible for conducting risk assessments in certain cases, and reference to the competent authorities to issue guidelines relevant to the provisions of the data transfer and disclosure regulations.

[1] https://istitlaa.ncc.gov.sa/ar/Transportation/NDMO/IMPLEMENTINGPDPL/Pages/default.aspx

[2] Regulations on Personal Data Transfer outside the Geographical Boundaries of KSA – https://istitlaa.ncc.gov.sa/ar/Transportation/NDMO/RPDTO/Pages/default.aspx

Authors:  Amr Hammad, Partner, Asad Ahmad, Senior Associate and Mario Fakhry, Associate.

For further information, please contact Alex Saleh (alex.saleh@glaco.com) and Fadi Daher (fadi.daher@glaco.com).